Fraud Management & Cybercrime
Hook Banking Trojan Can Simulate Clicks and Send WhatsApp Messages
An improved Android banking Trojan dubbed Hook by security researchers is capable of taking remote control of mobile device, contributing to the growing overlap between surveillance malware and financial fraud.
See Also: Live Webinar | Navigating the Difficulties of Patching OT
The Trojan, which analysis by Danish cybersecurity firm ThreatFabric characterizes as an improved version of existing the Ermac Trojan, is able to perform “full attack chain from infection to fraudulent transaction.”
Hook exploits an implementation of screen sharing known as virtual network computing to achieve in effect the functionality of a remote access tool, capable of functions including taking a screenshot, simulating clicks and inputting swipe gesture commands. It can transmit geolocation data and take control over files.
Hook can also open the WhatsApp chat app in order to extract messages and also send a news message that could be used by the Trojan’s operators to spread the malware.
A threat actor known as DukeEugene, which for roughly 18 months now has been renting Ermac, began offering Hook in mid-January, ThreatFabric says. The firm told Hacker News that access to Hook goes for an advertised price of $7,000 per month.
The emergence of Hook comes at a moment of growing global alarm over the commodification of advanced spyware and worries over the east with which threat actors and government alike can harvest private details from personal devices.
ThreatFabric says Hook is a variation of Ermac rather than a completely new Trojan based of code similarities with Ermac, including some commands in Russian that don’t add functionality.
Ermac itself is a descendent of mobile banking Trojan Cerberus, whose source code made it way online in 2020 to Attacks Using Cerberus Banking Trojan Surge a Russian darknet forum (see: Attacks Using Cerberus Banking Trojan Surge).